Establishing information security policy compliance culture in organizations
Information and Computer Security
ISSN: 2056-4961
Article publication date: 8 October 2018
Issue publication date: 8 October 2018
Abstract
Purpose
This paper aims to establish that employees’ non-compliance with information security policy (ISP) could be addressed by nurturing ISP compliance culture through the promotion of factors such as supportive organizational culture, end-user involvement and compliance leadership to influence employees’ attitudes and behaviour intentions towards ISP in organizations. This paper also aims to develop a testable research model that might be useful for future researchers in predicting employees’ behavioural intentions.
Design/methodology/approach
In view of the study’s aim, a research model to show how three key constructs can influence the attitudes and behaviours of employees towards the establishment of security policy compliance culture (ISPCC) was developed and validated in an empirical field survey.
Findings
The study found that factors such as supportive organizational culture and end-user involvement significantly influenced employees’ attitudes towards compliance with ISP. However, leadership showed the weakest influence on attitudes towards compliance. The overall results showed that employees’ attitudes and behavioural intentions towards ISP compliance together influenced the establishment of ISPCC for ISP compliance in organizations.
Practical implications
Organizations should influence employees’ attitudes towards compliance with ISP by providing effective ISP leadership, encouraging end-user involvement during the draft and update of ISP and nurturing a culture that is conducive for ISP compliance.
Originality/value
The study provides some insights on how to effectively address the problem of non-compliance with ISP in organizations through the establishment of ISPCC, which has not been considered in any past research.
Keywords
Citation
Amankwa, E., Loock, M. and Kritzinger, E. (2018), "Establishing information security policy compliance culture in organizations", Information and Computer Security, Vol. 26 No. 4, pp. 420-436. https://doi.org/10.1108/ICS-09-2017-0063
Publisher
:Emerald Publishing Limited
Copyright © 2018, Emerald Publishing Limited